A quick blog on security updates for Exchange Server 2016 and 2019. These fixes address the following vulnerability:
CVE-2021-24085: Microsoft Exchange Server Spoofing Vulnerability
The exploit can be fixed by single security update, which you can find in the table below per current Exchange version.
|Exchange 2019 CU8||Download||15.2.792.5||KB4602269|
|Exchange 2019 CU7||Download||15.2.721.8||KB4602269|
|Exchange 2016 CU19||Download||15.1.2176.4||KB4602269|
|Exchange 2016 CU18||Download||15.1.2106.8||KB4602269|
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.
Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.